<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/linux.git/sound/soc/sof/ipc3-control.c, branch v7.2-rc2</title>
<subtitle>Linux kernel stable tree (mirror)</subtitle>
<id>https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc2</id>
<link rel='self' href='https://git.radix-linux.su/kernel/linux.git/atom?h=v7.2-rc2'/>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/'/>
<updated>2026-06-09T17:41:14+00:00</updated>
<entry>
<title>ASoC: SOF: ipc3-control: Fix heap overflow in bytes_ext put/get</title>
<updated>2026-06-09T17:41:14+00:00</updated>
<author>
<name>Peter Ujfalusi</name>
<email>peter.ujfalusi@linux.intel.com</email>
</author>
<published>2026-06-09T08:34:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=fd46668d538993218eea19c6925c868ac0f2630c'/>
<id>urn:sha1:fd46668d538993218eea19c6925c868ac0f2630c</id>
<content type='text'>
The ipc_control_data buffer is allocated as kzalloc(max_size), where
max_size covers the entire struct sof_ipc_ctrl_data including its
flexible array payload. However, the bounds checks in bytes_ext_put
and _bytes_ext_get compared user data lengths against max_size
directly, ignoring that cdata-&gt;data sits at an offset of
sizeof(struct sof_ipc_ctrl_data) bytes into the allocation.

This allowed writing up to sizeof(struct sof_ipc_ctrl_data) bytes past
the end of the heap buffer from unprivileged userspace via the ALSA TLV
kcontrol interface, and similarly allowed over-reading adjacent heap
data on the get path.

Fix all bounds checks to subtract sizeof(*cdata) from max_size so they
reflect the actual space available at the cdata-&gt;data offset. Also fix
the error-path restore in bytes_ext_put which wrote to cdata-&gt;data
instead of cdata, causing the same overflow.

Fixes: 67ec2a091630 ("ASoC: SOF: Add bytes_ext control IPC ops for IPC3")
Cc: stable@vger.kernel.org
Signed-off-by: Peter Ujfalusi &lt;peter.ujfalusi@linux.intel.com&gt;
Reviewed-by: Liam Girdwood &lt;liam.r.girdwood@intel.com&gt;
Reviewed-by: Bard Liao &lt;yung-chuan.liao@linux.intel.com&gt;
Link: https://patch.msgid.link/20260609083458.31193-7-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown &lt;broonie@kernel.org&gt;
</content>
</entry>
<entry>
<title>ASoC: SOF: ipc3-control: Fix TOCTOU in bytes_put and bytes_get</title>
<updated>2026-06-09T17:41:13+00:00</updated>
<author>
<name>Peter Ujfalusi</name>
<email>peter.ujfalusi@linux.intel.com</email>
</author>
<published>2026-06-09T08:34:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=1f97760417b5faa60e9642fd0ed61eb17d0b1b39'/>
<id>urn:sha1:1f97760417b5faa60e9642fd0ed61eb17d0b1b39</id>
<content type='text'>
In sof_ipc3_bytes_put(), the size used for the memcpy is derived from
the old data-&gt;size already in the buffer, not the incoming new data's
size field. If the new data has a different size, the copy length is
wrong: it may truncate valid data or copy stale bytes.

Similarly, sof_ipc3_bytes_get() checks data-&gt;size against max_size
without accounting for the sizeof(struct sof_ipc_ctrl_data) offset
of the flex array within the allocation.

Fix bytes_put to validate and use the incoming data's sof_abi_hdr.size
from ucontrol before copying. Fix bytes_get to subtract sizeof(*cdata)
from the bounds check to match the actual available space.

Fixes: 544ac8858f24 ("ASoC: SOF: Add bytes_get/put control IPC ops for IPC3")
Cc: stable@vger.kernel.org
Signed-off-by: Peter Ujfalusi &lt;peter.ujfalusi@linux.intel.com&gt;
Reviewed-by: Liam Girdwood &lt;liam.r.girdwood@intel.com&gt;
Reviewed-by: Bard Liao &lt;yung-chuan.liao@linux.intel.com&gt;
Link: https://patch.msgid.link/20260609083458.31193-6-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown &lt;broonie@kernel.org&gt;
</content>
</entry>
<entry>
<title>ASoC: SOF: ipc3-control: Validate size in snd_sof_update_control</title>
<updated>2026-06-09T17:41:12+00:00</updated>
<author>
<name>Peter Ujfalusi</name>
<email>peter.ujfalusi@linux.intel.com</email>
</author>
<published>2026-06-09T08:34:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=390aa4c9339bb0ec0bc8d554e830faf93ca9d49e'/>
<id>urn:sha1:390aa4c9339bb0ec0bc8d554e830faf93ca9d49e</id>
<content type='text'>
In snd_sof_update_control(), firmware-provided cdata-&gt;num_elems is
checked against local_cdata-&gt;data-&gt;size but never against the actual
allocation size. If local_cdata-&gt;data-&gt;size was previously set to an
inconsistent value, the memcpy could write past the allocated buffer.

Add a bounds check to ensure num_elems fits within the available space
in the ipc_control_data allocation before copying.

Fixes: 10f461d79c2d ("ASoC: SOF: Add IPC3 topology control ops")
Cc: stable@vger.kernel.org
Signed-off-by: Peter Ujfalusi &lt;peter.ujfalusi@linux.intel.com&gt;
Reviewed-by: Liam Girdwood &lt;liam.r.girdwood@intel.com&gt;
Reviewed-by: Bard Liao &lt;yung-chuan.liao@linux.intel.com&gt;
Link: https://patch.msgid.link/20260609083458.31193-5-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown &lt;broonie@kernel.org&gt;
</content>
</entry>
<entry>
<title>ASoC: SOF: ipc3-control: Use overflow checks in control_update size calc</title>
<updated>2026-06-09T17:41:11+00:00</updated>
<author>
<name>Peter Ujfalusi</name>
<email>peter.ujfalusi@linux.intel.com</email>
</author>
<published>2026-06-09T08:34:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=8791977d7289f6e9d2b014f60a5455f053a7bc04'/>
<id>urn:sha1:8791977d7289f6e9d2b014f60a5455f053a7bc04</id>
<content type='text'>
In sof_ipc3_control_update(), the expected_size calculation uses
firmware-provided cdata-&gt;num_elems in arithmetic that could overflow
on 32-bit platforms, wrapping to a small value. This would allow the
cdata-&gt;rhdr.hdr.size comparison to pass with mismatched sizes,
potentially leading to out-of-bounds access in snd_sof_update_control.

Use check_mul_overflow() and check_add_overflow() to detect and reject
overflowed size calculations.

Fixes: 10f461d79c2d ("ASoC: SOF: Add IPC3 topology control ops")
Cc: stable@vger.kernel.org
Signed-off-by: Peter Ujfalusi &lt;peter.ujfalusi@linux.intel.com&gt;
Reviewed-by: Liam Girdwood &lt;liam.r.girdwood@intel.com&gt;
Reviewed-by: Bard Liao &lt;yung-chuan.liao@linux.intel.com&gt;
Link: https://patch.msgid.link/20260609083458.31193-4-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown &lt;broonie@kernel.org&gt;
</content>
</entry>
<entry>
<title>ASoC: SOF: Intel: clarify Copyright information</title>
<updated>2024-05-06T14:59:35+00:00</updated>
<author>
<name>Pierre-Louis Bossart</name>
<email>pierre-louis.bossart@linux.intel.com</email>
</author>
<published>2024-05-03T14:03:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=293ad28116e2c3e4d3eb28bd0378558edc897f55'/>
<id>urn:sha1:293ad28116e2c3e4d3eb28bd0378558edc897f55</id>
<content type='text'>
For some reason a number of files included the "All rights reserved"
statement. Good old copy-paste made sure this mistake proliferated.

Remove the "All rights reserved" in all Intel-copyright to align with
internal guidance.

Reviewed-by: Cezary Rojewski &lt;cezary.rojewski@intel.com&gt;
Signed-off-by: Pierre-Louis Bossart &lt;pierre-louis.bossart@linux.intel.com&gt;
Reviewed-by: Bard Liao &lt;yung-chuan.liao@linux.intel.com&gt;
Reviewed-by: Péter Ujfalusi &lt;peter.ujfalusi@linux.intel.com&gt;
Link: https://lore.kernel.org/r/20240503140359.259762-2-pierre-louis.bossart@linux.intel.com
Signed-off-by: Mark Brown &lt;broonie@kernel.org&gt;
</content>
</entry>
<entry>
<title>ASoC: sof: Improve sof_ipc3_bytes_ext_put function</title>
<updated>2023-05-23T18:31:14+00:00</updated>
<author>
<name>Paul Olaru</name>
<email>paul.olaru@nxp.com</email>
</author>
<published>2023-05-03T08:10:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=299f6c752f8f7dabb62fe4df62ebd233b58402bd'/>
<id>urn:sha1:299f6c752f8f7dabb62fe4df62ebd233b58402bd</id>
<content type='text'>
The function is improved in the way that if the firmware returns a
validation error on the newly sent bytes, then the kernel will
automatically restore to the old bytes value for a given kcontrol.

This way, if the firmware rejects a data blob then the kernel will also
reject it, instead of saving it for the next suspend/resume cycle. The
old behaviour is that the kernel would save it anyway and on next
firmware boot it would apply the previously-rejected configuration,
leading to errors during playback.

Additionally, the function also saves previously validated
configurations, so that if the firmware does end up rejecting a new
bytes value the kernel can send an old, previously-valid configuration.

Reviewed-by: Daniel Baluta &lt;daniel.baluta@nxp.com&gt;
Reviewed-by: Péter Ujfalusi &lt;peter.ujfalusi@linux.intel.com&gt;
Signed-off-by: Paul Olaru &lt;paul.olaru@nxp.com&gt;
Signed-off-by: Daniel Baluta &lt;daniel.baluta@nxp.com&gt;
Link: https://lore.kernel.org/r/20230503081049.73847-2-daniel.baluta@oss.nxp.com
Signed-off-by: Mark Brown &lt;broonie@kernel.org&gt;
</content>
</entry>
<entry>
<title>ASoC: SOF: ipc3-control: Merge functions to handle bytes_ext get variants</title>
<updated>2023-03-13T14:06:49+00:00</updated>
<author>
<name>Peter Ujfalusi</name>
<email>peter.ujfalusi@linux.intel.com</email>
</author>
<published>2023-03-13T11:03:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=76fc628aebdb452e3c620d9ff5c5e9448d316754'/>
<id>urn:sha1:76fc628aebdb452e3c620d9ff5c5e9448d316754</id>
<content type='text'>
The code for bytes_ext_get and bytes_ext_volatile_get is identical with
the only difference is that in case of volatile_get we refresh the data
from the DSP before returning it to user space.

Convert the callbacks to a simple wrapper for the same function.

Signed-off-by: Peter Ujfalusi &lt;peter.ujfalusi@linux.intel.com&gt;
Reviewed-by: Pierre-Louis Bossart &lt;pierre-louis.bossart@linux.intel.com&gt;
Reviewed-by: Ranjani Sridharan &lt;ranjani.sridharan@linux.intel.com&gt;
Link: https://lore.kernel.org/r/20230313110344.16644-3-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown &lt;broonie@kernel.org&gt;
</content>
</entry>
<entry>
<title>ASoC: SOF: ipc3-control: Rename snd_sof_refresh_control()</title>
<updated>2023-03-13T14:06:48+00:00</updated>
<author>
<name>Peter Ujfalusi</name>
<email>peter.ujfalusi@linux.intel.com</email>
</author>
<published>2023-03-13T11:03:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=3eac8de3f51b3567c4ba6139736b59027da56285'/>
<id>urn:sha1:3eac8de3f51b3567c4ba6139736b59027da56285</id>
<content type='text'>
Rename the snd_sof_refresh_control() to sof_ipc3_refresh_control() to
follow the function naming convention for IPC specific code.

Signed-off-by: Peter Ujfalusi &lt;peter.ujfalusi@linux.intel.com&gt;
Reviewed-by: Pierre-Louis Bossart &lt;pierre-louis.bossart@linux.intel.com&gt;
Reviewed-by: Ranjani Sridharan &lt;ranjani.sridharan@linux.intel.com&gt;
Link: https://lore.kernel.org/r/20230313110344.16644-2-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown &lt;broonie@kernel.org&gt;
</content>
</entry>
<entry>
<title>ASoC: SOF: Protect swidget-&gt;use_count with mutex for kcontrol access race</title>
<updated>2023-01-27T12:14:12+00:00</updated>
<author>
<name>Peter Ujfalusi</name>
<email>peter.ujfalusi@linux.intel.com</email>
</author>
<published>2023-01-27T12:00:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=f94f3915274d22d5cd8b253e0533822b934f5f41'/>
<id>urn:sha1:f94f3915274d22d5cd8b253e0533822b934f5f41</id>
<content type='text'>
The use_count of the swidget is protect by ALSA core PCM locking with the
exception when an associated kcontrol is changed.

It has been observed that a rightly timed kcontrol access during stream
stop can result of an attempt to send a control update to a widget which
has been freed up between the check of the use_count and the message
sending.

We need to protect the entire sof_widget_setup() and sof_widget_free()
execution to make it safe to rely on the use_count.
Move the code under an _unlocked() function and use a mutex to protect
the execution of the functions for concurrency.
On the control path we need to use the lock only for the kcontrol access,
the widget_kcontrol_setup() op is called with the lock already held.

Reported-by: Guennadi Liakhovetski &lt;guennadi.liakhovetski@linux.intel.com&gt;
Signed-off-by: Peter Ujfalusi &lt;peter.ujfalusi@linux.intel.com&gt;
Reviewed-by: Pierre-Louis Bossart &lt;pierre-louis.bossart@linux.intel.com&gt;
Reviewed-by: Ranjani Sridharan &lt;ranjani.sridharan@linux.intel.com&gt;
Link: https://lore.kernel.org/r/20230127120031.10709-18-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown &lt;broonie@kernel.org&gt;
</content>
</entry>
<entry>
<title>ASoC: SOF: ipc3: Remove the ipc3-ops.h header file</title>
<updated>2022-05-04T14:31:18+00:00</updated>
<author>
<name>Peter Ujfalusi</name>
<email>peter.ujfalusi@linux.intel.com</email>
</author>
<published>2022-05-04T10:28:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.radix-linux.su/kernel/linux.git/commit/?id=f80beaf6f2b1eb55fb1b2128a43e0a0c9c4d19de'/>
<id>urn:sha1:f80beaf6f2b1eb55fb1b2128a43e0a0c9c4d19de</id>
<content type='text'>
Only the main IPC ops struct should be visible outside of IPC3 code to make
sure that the code is correctly abstracted.

Instead of keeping the ipc3-ops.h with only the high level ops struct
declaration, put the ipc3_ops to sof-priv.h and move all other ops struct
declaration into ipc3-priv.h

New IPC implementation should follow this route: the main IPC ops should be
declared in sof-priv.h and no other IPC version related header be used
for generic code.

Signed-off-by: Peter Ujfalusi &lt;peter.ujfalusi@linux.intel.com&gt;
Reviewed-by: Pierre-Louis Bossart &lt;pierre-louis.bossart@linux.intel.com&gt;
Reviewed-by: Ranjani Sridharan &lt;ranjani.sridharan@linux.intel.com&gt;
Reviewed-by: Bard Liao &lt;yung-chuan.liao@linux.intel.com&gt;
Link: https://lore.kernel.org/r/20220504102831.10071-1-peter.ujfalusi@linux.intel.com
Signed-off-by: Mark Brown &lt;broonie@kernel.org&gt;
</content>
</entry>
</feed>
